@ Qualys. 


NetScaler Authentication 


Thank you for your interest in authenticated scanning! When you configure and use 
authentication, you get a more in-depth assessment of your hosts the most accurate results. 
This document provides tips and best practices for setting up NetScaler authentication. 


NetScaler Authentication for VM 


Why use authentication? 


With authentication, we can remotely log in to each target system with credentials that you 
provide, and because we’re logged in, we can do more thorough testing. This will give you better 
visibility into each system ’s security posture. Is it required? It’s recommended for vulnerability 
scans. 


What privileges are needed for vulnerability scans? 


The account you provide must be able to perform certain commands like 1) execute “uname” to 
detect the platform for packages, 2) read /etc/redhat-release and execute “rpm” (if the target is 
running Red Hat), and 3) read /etc/debian_version and execute “dpkg” (if the target is running 
Debian). 


There are many more commands that must be performed. The “NIX Authenticated Scan Process 
and Commands article describes the types of commands run and gives you an idea of the 
breadth and scope of the commands executed. It includes a list of commands that a Qualys 
service account might run during a scan. Not every command is run every time, and *nix 
distributions differ. This list is neither comprehensive nor actively maintained. 


Are my credentials safe? 


Yes, credentials are exclusively used for READ access to your system. The service does not 
modify or write anything on the device in any way. Credentials are securely handled by the 
service and are only used for the duration of the scan. 


Which technologies are supported? 


For the most current list of supported authentication technologies and the versions that have 
been certified for VM and PC by record type, please refer to the following article: 


Authentication Technologies Matrix 


What are the steps? 


First, set up a NetScaler user account and privileges on target hosts (we’ll help you with this 
below). Then, using Qualys Vulnerability Management, complete these steps: 1) Add Unix 
authentication records (NetScaler uses Unix Authentication record for authentication. Use new 
Authentication and select Unix Authentication). 2) Launch a vulnerability scan. 3) Run the 
Authentication Report to view the detailed report for each scanned host. For vulnerability scans, 
you must enable authentication in an option profile and then select the profile at scan time. Go 
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to Scans > Option Profiles. Edit an option profile (or create a new one), go to the Scan section and 
select each type of authentication you want to use. 


Can I have multiple records? 


Yes. You can create multiple records with different IP addresses. Each IP address may be 
included in one Unix type record. 


NetScaler Authentication for PC 


Why use authentication? 


With authentication, we can remotely log in to each target system with credentials that you 
provide, and because we’re logged in, we can do more thorough testing. This will give you better 
visibility into each system ’s security posture. Is it required? It’s required for compliance scans. 


Are my credentials safe? 


Yes, credentials are exclusively used for READ access to your system. The service does not 
modify or write anything on the device in any way. Credentials are securely handled by the 
service and are only used for the duration of the scan. 


What are the steps? 


First, set up a NetScaler user account and privileges on target hosts (we'll help you with this 
below). Then, using Qualys Policy Compliance, complete these steps: 1) Add Unix authentication 
records (NetScaler uses Unix Authentication record for authentication and assessment of 
controls, please use new Authentication and select Unix Authentication). 2) Launch a 
compliance scan. 3) Run the Authentication Report to view the authentication status for each 
scanned host. 


Can I have multiple records? 


Yes. You can create multiple records with different IP addresses. Each IP address may be 
included in one Unix type record. 
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NetScaler Setup 


In order for scans to work properly, the following account and privileges must exist prior to 
running the scan. 


1) Create a User Account on NetScaler Instance 


Create a user account called scanuser which is a category created by the user for scanning the 
NetScaler devices. 


a. You can use any user name string for the user name. You'll need to provide the same 
user name in the Unix Authentication record in the Qualys UI. 


Citrix NetScaler VPX HA Status 


Dashboard Configuration Reporting Documentation Downloads 


© System User 


System User 


User Name CLI Prompt Idle Session Timeout (secs) 
qualysroot 900 


Enable Logging Privilege Enable External Authentication Maximum Sessions 
ENABLED true 20 

Bindings 

No Partition 

1 System Command Policy 


No Group 


Done 


b. To change the configurations, use the following screen: 


HA Status Partition 


Not configured 


Citrix NetScaler VPX ae Ae nsroot 


Not configured defau! 


Dashboard Configuration Reporting Documentation Downloads 


Welcome! 


Use this wizard for initial configuration of your NetScaler virtual appliance. To configure or to change a previously configured setting, click each of the sections below. If a parameter has already been configured, a check mark 
appears within a green circle. An orange circle containing a dash indicates that you have chosen to skip this section. 


NetScaler IP Address 
IP address at which you access the NetScaler for configuration, monitoring, and other management tasks. 


NetScaler IP Address Netmask 
10.115.98.95 255.255.255.0 


Subnet IP Address 

Specify an IP address for your NetScaler to communicate with the backend servers. 
Subnet IP Address 

192.168.20.2, 192.168.20.3, 192.168.20.4, 192.168.20.5 ... 


Host Name, DNS IP Address, and Time Zone 
Specify a host name to identify your NetScaler, an IP address for a DNS server to resolve domain names, and the time zone in which your NetScaler is located. 


Host Name DNS IP Address Time Zone 
Not configured Not configured CoordinatedUniversalTime 


Licenses 


Upload licenses from your local computer or allocate licenses from the Citrix licensing portal 
You can also allocate pooled capacity from an on-premise license server. 


There are 0 license file(s) present on this NetScaler. 
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% 


c. Once the user is created, assign a “read-only” policy directly or via the group to this user, 
which will be used to assess the controls during the scan. 


User Command Policy Binding / Configure Command Policy 


Configure Command Policy 


Policy Name 
QualysPolicy 


Action* 
ALLOW 


Command Spec* 


(4show\s+ 
((aaa | audit | authentication | dns | ipsec | ns | vpn | ntp | policy | router | snmp | system | tunnel | user)\s+\S 
+| Service)) | (Ashow\s+ 


RegEx Editor Command Spec Editor 


E 


Command Specification 

(^man.*) | (*show\s+(?!system) | (?!configstatus) |(?!ns ns\.conf)|(?!ns 
savedconfig) |(?!ns runningConfig) |(?!gslb runningConfig) | (?! audit 
messages) |(?!techsupport).*) | (*stat.*) 


2) NetScaler uses Unix Authentication record for authentication and assessment of controls 
so, please use new Authentication and select Unix Authentication. 


New Unix Record Turn help tips: On | Off Launch Help 


Record Title Authentication 


Provide login credentials to use for authenticated scanning. You have the option to get the login password from a vault available in your 
account. 


Private Keys / Certificates Username*: 


Root Delegation Get password from vault 


Policy Compliance Ports c Skip Password 


Agentless Tracking Password: 


~ Clear Text Password 
IPs 


Confirm Password": 
Comments 


cansi 
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3) Following are the list of commands that are executed on the device to assess compliance 
controls. Supported Versions are 10.x, 11.x and 12.x. 


shell cat /etc/sshd_config | grep "AllowTcpForwarding" 


shell 'nsconmsg -d stats | grep "small_window" | sed -E "s/ +/|:|/g"' 
shell cat /etc/issue 

show aaa ldapParams 

Show aaa radiusParams 

Show aaa tacacsParams 

show audit nslogParams 

show iptunnel | grep "Name" 

show ns feature 

show ns mode 

show ns mode grep -w BridgeBPDUs 

show ns mode grep -w DRADV 

show ns mode grep -w DRADV6 

show ns mode grep -w IRADV 

show ns mode grep -w SRADV 

show ns mode grep -w SRADV6 

show ns tcpbufParam 

show ntp server grep NTP 

show ntp sync 

show run | grep "authentication ldapPolicy" 

show run | grep "authentication radiusPolicy" 

show run | grep "bind system group" 

show run | grep "bind system user" 

show snmp alarm | grep UNSET 

show snmp community -level verbos format INPUT 

show snmp manager | grep "IP" 

show ssl parameter 

show system user grep "User name" 

show tcpParam 

show vpn parameter 

show vpn parameter -level verbos format OLD | grep "splitTunnel" 
show vpn sessionAction 

show aaa preauthenticationpolicy 

show acl -level verbos format OLD 

show authentication ldapAction -level verbos format OLD | grep serverIP 
show authentication radiusAction -level verbos format OLD | grep serverIP 
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show 


authentication tacacsAction 


level verbos 


format OLD | grep serverIP 


show authentication vserver -level verbos format OLD 

show interfac level verbos format OLD 

show ns httpProfile 

show ns ip6 -level verbos format OLD 

show ns ip -level verbos format OLD 

show ns ip -type NSIP -level verbos format OLD 

show ns version 

show responder action grep 'Name|Operation|Target' 

show responder global 

show responder policy grep 'Name|Active|* *$' 

show rewrite policy | grep 'Name|Active' 

show rpcNod level verbos format OLD 

show run grep "add vpn sessionAction" 

show run grep "authentication Policy" 

show run grep "bind ssl cipher" 

show run grep "bind ssl service" | grep "certkeyName" 

show run grep "bind ssl service" | grep "nshttps-127.0.0.1-443 - 
certkeyName" 

show servic level verbos format OLD | grep "TCPB YES" 

show snmp alarm -level verbos format OLD 

show snmp option v verbos format OLD | grep "set snmp" 
show snmp user -level verbos format OLD 

show ssl profil v verbos format OLD 

show ssl servic v verbos format OLD 

show ssl servic v verbos format OLD | grep "sessTimeout" 
show ssl vserver v verbos format OLD 

show syslogAction 

show syslogAction vel verbos format OLD | grep "syslogAction" 
show syslogPArams vel verbos format OLD | grep syslogParams 
show system parameter -level verbos format OLD | grep "system parameter" 
show vpn vserver -level verbos format OLD 
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Unix Authentication Record 


Go to Scans > Authentication. Then select New > Operating Systems > Unix. You might be 
interested in Unix subtypes. You'll see records for Cisco authentication and Checkpoint Firewall 


authentication under Network and Security. 


‘= Scans | Scans Maps Schedules Appliances 


Search.. 
Vv | New v | 
[E] Network Ei 9°) = á | 
| Network and Security... b Windows $ 
Agent Test Applications.. >? Turrrs;70r15 1-10.115.76.152 
Global Default) Databases... > 10.115.76.151-10.115.76.152 
VMware. > 
Global Default gcp unix auth 
System Record Templates... > 
Global Default azure unix auth 
Authentication Vaults 
Global Default 10.115.68.145 
Download... 
Agent Test Unix Custom Network 145 


Enter the Unix login credentials (user name, password 


our service will use to log in to Unix hosts 


at scan time. Then walk thru our wizard to select the options you want for private keys, root 
delegation, policy compliance and target IPs. Our online help is always available to assist you. 


New Unix Record 


Record Title ’ Authentication 


Turn help tips: On | Off Launch Help 


Login Credentials > oe credentials to use for authenticated scanning. You have the option to get the login password from a vault available in your 
account. 


Private Keys / Certificates > Username*: quale joe 


Root Delegation > Get password from vault 


Policy Compliance Ports > Skip Password 


Password: 
Agentless Tracking eeecee 


Clear Text Password 


IPs 
Confirm Password*: 


Comments 
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Reports 


Sample VM Report 


Scan Results 
March 18, 2020 


Report Summary 


wenlin zhang 

quays_wz2 

Qualys, Inc 

Manager 

1600 Bridge parkway 

redwood city 

California 

96045 

United States of America 

03/18/2020 at 14:18:55 (GMT-0700) 

03/18/2020 at 13:59:27 (GMT-0700) 

2 

2 

On demand 

Finished 

scan/1584565167.51025 

10.11.58.122 (Scanner 11.8.30-1, Vulnerability Signatures 2.4.845-2) 
Unix/Cisco/Checkpoint Firewall authentication was successful for 2 hosts 
00:12:06 

citrix_netscaler 


10.11.41.108-10.11.41.109 


wenlin-select QID 
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Sample PC Report 


netscaler-all 


February 10, 2020 


Report Summary 
02/10/2020 at 14:44:25 (GMT-0800) 
qualys 
1600 bridge parkway 
Redwood shores 
None 
94065 
Bangladesh 
Jin wu 
quays_iw 
Manager 


NetScaler-all 
Unlocked 
PC_dwei 


10.115.98.95 
NIA 

No 

1 

77 


Total Control instances: 68 

Total Passed: 68 (100%) 

Total Failed: 0 

Total Error: 

Approved Exceptions: 

Pending Exceptions: 

Policy Modified: 02/10/2020 at 14:38:00 (GMT-0800) 
Policy Last Evaluated: 02/10/2020 at 14:41:15 (GMT-0800) 


Last updated: May 27, 2022 
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